highly experimental macOS hijacking for v8killer launcher #28
Conversation
|
本人目前的执行流程(以 QQ 举例): Running `/Users/stevexmh/Documents/programs/v8_killer/target/debug/v8_killer_launcher /Applications/QQ.app/Contents/MacOS/QQ`
[*] Executable: /Applications/QQ.app/Contents/MacOS/QQ
[*] Args: []
[*] Core lib path: /Users/stevexmh/Documents/programs/v8_killer/target/debug/libv8_killer_core.dylib
[*] creating executable temp path: "/var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI"
[*] executable is under a bundle: "/Applications/QQ.app"
[*] copying bundle to temp path: "/var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI/QQ.app"
[*] removing signature: "/var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI/QQ.app"
[*] removed signature: "/var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI/QQ.app"
[*] copying v8_killer to temp path: "/var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI/QQ.app/Contents/Frameworks/V8Killer.framework/libv8_killer_core.dylib"
[*] hijacking bundle executable...
[*] hijacking "/var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI/QQ.app/Contents/Frameworks/V8Killer.framework/libv8_killer_core.dylib" to "/var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI/QQ.app/Contents/MacOS/QQ"
[crates/insert_dylib/src/lib.rs:103:24] args = [
"insert_dylib",
"--all-yes",
"--inplace",
"--strip-codesig",
"/var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI/QQ.app/Contents/Frameworks/V8Killer.framework/libv8_killer_core.dylib",
"/var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI/QQ.app/Contents/MacOS/QQ",
]
[crates/insert_dylib/src/lib.rs:108:50] args.len() as c_int = 6
insert_dylib_main
Binary is a fat binary with 2 archs.
It doesn't seem like there is enough empty space. Continue anyway? [y/n] y
It doesn't seem like there is enough empty space. Continue anyway? [y/n] y
Added LC_LOAD_DYLIB to all archs in /var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI/QQ.app/Contents/MacOS/QQ
[crates/insert_dylib/src/lib.rs:108:18] unsafe { insert_dylib_main(dbg!(args.len() as c_int), args.as_ptr()) } = 0
[*] signing modified executable/dylib...
Executable=/Applications/QQ.app/Contents/MacOS/QQ
[*] signed: "/var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI/QQ.app/Contents/Frameworks/V8Killer.framework"
/var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI/QQ.app: internal error in Code Signing subsystem
[*] failed to sign: "/var/folders/yz/gfxc6vfd04lg_h_j1kcgy39h0000gn/T/v8-killer-app-.jyvqYv6RduuI/QQ.app"
thread 'main' panicked at crates/launcher/src/lib.rs:290:55:
called `Result::unwrap()` on an `Err` value: "failed to sign"
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace |
|
Thank you very, very much for your efforts, but I think this is a PR I probably won't merge. I think it's a very primitive solution and at the same time out of the focus of this project. Thank you very much for your contribution and I look forward to your ideas. |
|
Perhaps you could try moving this patch-related logic into a separate program. |
ShellWen
added
enhancement
If that is what your project was focus on, then there (almost) won't be any methods for the program that has been already signed to inject, and only the program that was compiled from user's computer can be able to inject the dynamic library. And our situation is that all the programs we wanted to patch was always bundled in application bundle and all of them are signed. |
Also, I have checked the error logging from the |
|
I mean, V8 Killer is more of a tool for developers than for end users. |
Well, so if just focus for developer then it will be okay to inject by setting environment variable or other convenience methods. I'll split the code only focus on just injecting V8 Killer. |
|
I may have some other enhancements that can improve developer experience, but will be present on separate pull request or only my fork. |
|
Before merging PRs, I would like to ask if there is an easy way to detect if the injection is successful or not? I mean, is it possible to show an error message to the user if the injection is unsuccessful due to codesign issues? |
|
After completing all the tasks, please request a review from me. Thank you very much for your help. |
|
It would be nice if you could add support for GitHub Actions on macOS, which I know next to nothing about. |
AFAIK, programs that have signed or disabled dylib hijacking entitlement will simpily ignore the environment variable, or just failed to launch without any exit code. So you may have to implement a method that can let V8 Killer invoke to the launcher that the operation was succeed. |
Steve-xmh
force-pushed
the
master
branch
3 times, most recently
from
d15aa06
to
d6f191c
Compare
I've modified CI workflow file with these changes:
Here's a succeed job that you can check the artifacts and output: https://github.com/Steve-xmh/v8_killer/actions/runs/8128486657/job/22214430999 |
|
@ShellWen please have a review, thanks! |
I'm lazy to do that. So... It's Okay. 😇 |
|
I'm so grateful. 🥰 |
WARNING: Still very unstable and not-process-elegant :P
I assume that user have installed Xcode on their Mac computers which contains
codesignfor re-signing the target executable program. Then we copy the entire application bundle to a temporary direction to modify the program to hijacking v8killer. Then sign and run, that's it.